Risk assessments officially need to be performed on an annual basis but regularly reviewing your risk remediation plan throughout the year is a business “best practice” for any organization.

Policies and Procedures need to be reviewed and changed depending upon federal law changes and changes in your organization.  New processes, new technologies, new locations may require revisions to your Policies and Procedures.

Monitoring of your networks and equipment needs to be done at least weekly for most organizations.  Any aberrations or irregularities in system configurations or file integrity identified in your networks or equipment should be addressed immediately.  Additionally, an inventory of your networks and equipment should be done at least annually with quarterly updates or after major IT procurements.

Privacy and security training should be done at least annually for all staff and with all new hires.  Any changes to the organization should be accompanied by refresher classes.  New employees need to be HIPAA trained within 30 Days.

Contingency plans should be reviewed annually, making sure plans and options for data back-up, disaster recovery, and emergency mode operation are all still viable strategies for the organization in the event of an interruption to the normal course of operations.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check, This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.).  Remember, this is not a full risk assessment; it is just a Quick-Check^™.

Articles in the series:

1. How to get Started: Risk Assessment
2. Breach Detection
3. Education
4. Data Protections
5. Planning for Emergency Events
6. How Often Do I Need to Check? (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.

The post After the Risk Assessment, Then What? How Often Do I Need to Check? appeared first on Third Rock.

Preparing for future events is often overlooked by many healthcare entities.  Just dealing with the issues of the day can take up the majority of your time.  However, being prepared for future events, besides being a HIPAA requirement, also makes good business sense.

What HIPAA calls “Contingency Planning” is what most businesses call “business continuity/disaster recovery.”  Continued daily operations – data back-up, disaster recovery, and emergency mode operation are all required by HIPAA.  The testing of these contingency plans is highly recommended.  All of these are elements of business continuity/disaster recovery.

Planning for unexpected, natural or man-made disasters, allows your business to be prepared for such potential events.  Other things to consider include:

• Emergency Plans vs. Disaster Recovery Plans
• Remote collocations make life easier.
• The cloud makes data storage easier.
• Move to secure, encrypted local, remote (co-lo) and cloud backups.
• Have a diagram of the top two tiers of applications, the servers, and networks to recover them.
• Auto failover simplifies testing, just fail over quarterly to your backup location.

With high-speed networks, remote locations, co-location data centers, and cloud services – it is now far easier to plan for disaster recovery as you roll-out new hardware and services.

In addition to Contingency Planning, Breach Awareness/Notification Planning needs to be in place as well.  In the event of a data breach involving unsecured PHI, there are requirements regarding

• the notification of individuals whose PHI has been breached,
• time frames for such notification,
• manner of notification,
• and content of information contained in the notification.
• If the breach involved more than 500 individuals in one state, notices to the media are required.
• In most cases, notification to the federal Department of Health and Human Services (HHS)  is required.

Having a plan in place ahead of time to address all of these requirements is essential to a healthcare entity.  Here’s an outline from our Disaster Recovery Plan to help you get started.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check, This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.).  Remember, this is not a full risk assessment; it is just a Quick-Check^™.

Articles in the series:

1. How to get Started: Risk Assessment
2. Breach Detection
3. Education
4. Data Protections
5. Planning for Emergency Events (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.

The post After the Risk Assessment, Then What? Planning for Emergency Events appeared first on Third Rock.

• Staff Training: HIPAA Privacy and Security Training, for all employees, is required to be done soon after initial employment and then periodically thereafter.
• Officer Training: In-depth HIPAA courses are required for your organization’s HIPAA Privacy and Security Officers.
• P&P Based: HIPAA training must complement your organization’s HIPAA policies and procedures.
• Current: HIPAA refresher classes should as needed to keep staff informed about material changes in HIPAA policies and procedures.
• Documented: You must document each individual employee’s HIPAA training.

A current set of HIPAA Policies and Procedures provides you a source of education through guidance to staff as to what they can and cannot do regarding HIPAA activities.  These policies and procedures should address all aspects of an organization’s healthcare activities.

• What you can say?
• Who you can say it to?
• Access to healthcare data?
• With whom you can share that data?
• What needs to be encrypted?
• What happens if there is a breach?
• What happens if electrical power is lost or there is a natural disaster?
• And a myriad of other healthcare activities that involve protecting healthcare information.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check (http://cyberquickcheck.com/), which is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA compliance.

Articles in the series:

1. How to get Started: Risk Assessment
2. Breach Detection
3. Education

The post HIPAA Compliance – After the Risk Assessment, Then What? HIPAA Education appeared first on Third Rock.

In this age of data breaches – from cyber breaches to equipment theft/loss, addressing the issue of continuous monitoring of your network and your networked devices might be the second item to address on your list of HIPAA compliance activities.  The Office of Civil Rights (DHHS) states that security is now 80% of the requirements of compliance and protecting the PHI is the goal.

The key to preventing a serious/significant PHI/ePHI data loss is to quickly identify and remediate data breaches.  The quick identification of a breach in any of its forms is the most important aspect of securing your data.  Most cyber thieves need time to attack and get into your systems and equipment; even more time to root around in your networks and files looking for valuable data; and then even more time to collect and distribute the stolen data.  Anything that reduces these time frames lessens the potential damage due to data theft.

Begin with a Weekly Review of your systems and software for Unauthorized Changes (or authorized changes that did not occur).  Early detection of unauthorized changes to your systems, software, and equipment can reduce the impact of malicious software code (malware) might have on your valuable ePHI data.

A Weekly Review of your systems and equipment compliance profiles can also reduce your vulnerability to outside attacks. This process strengthens your system and software against any future attacks by continuously maintaining compliance standards.

Regular Inventory reviews of all computer-related equipment is necessary to identify any theft, loss, or new additions to your network.  If you do not know what equipment you have, you certainly cannot know what information you might have lost.  Likewise, new equipment on your networks that is not properly configured can leave you vulnerable to breach attacks.

Continuously monitoring your systems and computer equipment will allow you to quickly identify any anomalies and proactively address any irregularities, thereby protecting your valuable ePHI data.

To address these issues, Third Rock offers Third Rock Assurance^™, which provides continuous monitoring of your networks and networked devices.  All types of devices (servers, desktops, network devices, databases, storage systems, virtualization infrastructures, and mobile devices ) can be monitored for vulnerabilities, compliance, and changes (authorized and unauthorized), which can be scheduled to run nightly, weekly, or monthly.  Go to  https://thirdrock.com/compliance-solutions/continuous-compliance-monitoring/ for more information about continuous monitoring.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check (http://cyberquickcheck.com/), which is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance.

Articles in the series:

1. How to get Started: Risk Assessment
2. Breach Detection
3. Education

The post HIPAA Compliance – After the Risk Assessment, Then What? Breach Detection appeared first on Third Rock.

There are numerous requirements for HIPAA compliance – performing an annual risk assessment, up-to-date training, maintaining current policies and procedures, having a contingency plan, having your data encrypted at rest and in motion, continuous monitoring of all networks and networked devices, just to name a few.

Those are a lot of things to contend with but where should you start?  As Maria says in “The Sound of Music,” you start at the very beginning.  For HIPAA compliance, it is the Risk Assessment.  The risk assessment will let you know where you stand on all matters related to HIPAA compliance.

In fact, the U.S. Department of Health and Human Services’ Office of Civil Rights (the entity entrusted with HIPAA compliance) agrees.  As a result of their first round of federal HIPAA audits and in all of their investigations of HIPAA compliance, what the OCR noticed as the number one problem behind a HIPAA breach or a bad HIPAA Compliance audit was the lack of a current HIPAA risk assessment.  The OCR has also stated that in their next round of HIPAA audits, which began in 2015, they are concentrating on the covered entities’ risk assessment (or lack thereof).

Performing a HIPAA risk assessment can be daunting task (generally the reason they are not being done in the first place).  If your company has annual revenues of more than $5 million dollars, your “official” risk assessment needs to be done by a third-party.  If your company’s annual revenues are less than $5 million, you can perform a self-administered risk assessment.  In either case, the risk assessment is the place to start.

At Third Rock, we have further simplified this process regarding the risk assessment.  We have created the Third Rock HIPAA Quick-Check . This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.).  Remember, this is not a full risk assessment; it is just a Quick-Check^™.

If your organization decides to pursue a complete, official risk-assessment, Third Rock can perform these services for you – we provide both self-assessments as well as third-party assessments, depending upon your company’s size.  After the risk assessment is performed, you will receive the results of your HIPAA Risk Assessment and a Risk Remediation plan to address any shortcomings.  Plus, we’ll help you step-by-step through the remediation identified in the risk assessment.

And that’s how you get started.

Read the next post in the HIPAA Compliance series.

Additional Resources:

1. Third Rock’s HIPAA and Cyber-Security Blog
2. Third Rock’s HIPAA and Cyber-Security Newsletter & Subscription page
3. Third Rock – Webinar Video

The post HIPAA Compliance – How to Get Started? appeared first on Third Rock.

Last week, we highlighted the financial impact of a cyber-breach for a healthcare organization and why it is so important to protect your data from breaches.  Today’s article will look at the two most significant approaches towards protecting your organization from costly breaches – Prevention and Detection.

Preventing a Breach lays the groundwork for protecting valuable Protected Health Information (PHI) and ePHI, by taking proactive steps to prevent breaches from taking place altogether.  The more effort undertaken to fortify your defenses reduces the potential of costly breaches later on.  Here are some actions to take that can help your organization prevent a breach from taking place:

• Completing the required Annual HIPAA Risk Assessment is the first step in protecting your organization from a breach. This process performs two critical tasks – first, it identifies all PHI, where it is stored and how it is transmitted and secondly, the Risk Assessment identifies weaknesses or vulnerabilities that may exist in both the electronic and physical worlds.  Deficiencies in your defenses are then prioritized and then your team can begin to remediate them in a logical and efficient manner.  In fact, the Office of Civil Rights (OCR) of the Department of Health and Human Services, states that the annual risk assessment is the first thing they look for in an audit or a review of a breach.
• Creating Useful and Useable Policies and Procedures that reflect the most current HIPAA Privacy and Security regulations and that are based upon how your organization does business. They should also be written in an easy to understand format so your employees can understand and implement them.  If these two requirements are not met, they will not be adopted and implemented successfully, leaving your business vulnerable and non-compliant.
• Incorporating Practical and Up-to-date Training, which is required by HIPAA Privacy and Security rules, enables staff to learn the current requirements pertaining to HIPAA Privacy and Security regulations, thereby further protecting PHI and ePHI in the workplace.
• Encrypting Data, both at rest and in motion, prevents breached data from being recovered by cyber thieves since the breached data is rendered as unreadable without the correct encryption “key.”
• Using Security Software (Norton, McAfee, ESET, etc.) to help prevent malware, phishing, viruses, and other computer vulnerabilities from entering your computer systems and devices.

Unfortunately, breach prevention activities are not enough.  As recent headlines have shown, cyber-breaches are happening with greater frequency and voracity.  Should a breach occur, Detecting the Breach in a timely manner becomes the key factor in mitigating any damages due to the breach.  The sooner you can detect and correct the breach, the greater your protection of PHI and ePHI.

All types of devices (servers, desktops, printers, network devices, databases, storage systems, virtualization infrastructures, mobile devices, etc.) need to be regularly monitored for vulnerabilities, compliance, and changes (both known and unknown).

• Vulnerability Assessment provides detection and reporting of known vulnerabilities on your systems that have not been corrected.  Software hackers continually search for ways to penetrate computer defenses and a vulnerability assessment hardens your defenses against such attacks.
• Continuous Compliance includes policies that you can use to ensure continuous compliance with regulatory standards such as HIPAA, PCI-DSS, NIST 800-53, SOX, NERC, and FDCC.
• File Integrity Verification is a fast and reliable process to verify the software deployed on your systems is valid, current, and properly deployed, and has not been infected or altered by malicious software. It also identifies any software that should not be on your network.

The use of such Breach Detection Tools both hardens your computer system’s defenses making your systems less likely to be compromised, and greatly reduces detection time if a breach should occur.  These tools provide exceptional visibility and reporting into the compliance and security of your computer systems network, which significantly reduces your organizations liabilities.

In order to help your organization reduce the possibility of being breached and limit the financial impact if breached, Third Rock is offering a Free Cyber Security/Breach Assessment for the first 50 organizations that contact us.  All we need to know is the name of the healthcare organization and the contact information for the individual(s) responsible for HIPAA/Information Technology compliance.  Send this contact information to info@thirdrock.com or call us at 512-310-0020.

For more information on Third Rock’s Worry-Free Compliance, please visit us at www.thirdrock.com.

The post Protecting Yourself from a Cyber Breach (3 of 3) appeared first on Third Rock.

The impact from a healthcare breach has wide and significant impact to a healthcare organization, both small and large.  Here are some examples of the costs associated with healthcare breaches:

• Negative media/publicity is one of the first and possibly the most devastating negative impacts of a healthcare breach – current and potential customers will be unlikely to use a healthcare organization that cannot protect their sensitive information, particularly ePHI.
• The Cost to Remediate the breach is often the second noticeable impact of a breach.
  • First there is the Triage Costs of the breach itself – bringing in forensic teams to investigate the breach – the how, what, and where issues; implementing business continuity and back-up plans; and bringing in extra IT staff to restore/repair corrupted data and implement the necessary security safeguards.
  • Second, there are the Clean-up Costs for all of the identities of the people affected by the breach. The estimated cost to clean-up such records is around $18,000 per individual.
• Consumer class action lawsuits are often the next cost of a breach. Target and Home Depot are contending with numerous consumer class action lawsuits (Target: 140+ and Home Depot: 44) while Healthcare insurer Anthem is just beginning to see consumer lawsuits being filed in numerous states.  Target has recently offered a proposed settlement of $10 million for their class action lawsuits.

All of the items above will lead to lost revenues, increased costs, and reduced profits.

• There is one more cost to a healthcare breach – HIPAA Fines, which can range from $100 to $50,000 per breached record, depending upon the level of HIPAA compliance and awareness of HIPAA privacy and security requirements by the healthcare organization.

As healthcare organizations become more automated, connected to the internet, and implement more EHR/EMR systems and other electronic data exchanges, the opportunity for cyber breaches will only increase.

Next week’s article will discuss what you can do to reduce the possibility of a cyber-security breach and how you can protect your organization now.  At the end of this series on cyber security breaches, Third Rock will be a special offer for those organizations ready to improve their protection against cyber-breaches.

For more information on Third Rock’s Worry-Free Compliance, please visit us at: www.thirdrock.com.

The post Impact of a Healthcare Breach (2 of 3) appeared first on Third Rock.

Recent headlines have reported that cyber breaches are occurring with greater frequency than ever before. Everyone is familiar with the cyber breaches of Target, Home Depot, JP Morgan, Sony, and most recently, the federal Office of Personnel Management. Over 230 million people were affected by these five breaches alone! One of these breaches may have personally affected you.

In 2015, healthcare companies have increasingly become the target of cyber thieves. Anthem BCBS, Premera, and UCLA Health alone have accounted for over 103.1 million healthcare records being compromised in just the first six months of 2015! To put this in perspective, in all of 2014, there were 333 healthcare breaches (almost one a day) affecting 8.3 million records.

So why the increased interest in healthcare records by cyber thieves? First, the introduction of security chips has made credit cards more difficult to abuse. Additionally, the value of a credit card is limited to the available spending limit on the card and that a credit card can be easily cancelled if compromised. The second, and more compelling reason is that healthcare records have unlimited theft potential and they are easier to obtain. A complete healthcare record includes a person’s name, address, phone number, birth date, social security number, insurance numbers – everything a cyber thief needs to steal someone’s identity. With this information, an identity thief can apply for an unlimited number of credit cards, car loans, mortgages, etc. In other words, healthcare records are much more valuable to cyber thieves on the black market than credit cards.

But why are healthcare records easier to obtain? Many healthcare organizations have been slow to improve the security of the protected health information (PHI) in their possession. While financial and business entities have increased their security spending in light of increased cyber-attacks, most healthcare organizations have not. Cyber thieves know this and are now exploiting this vulnerability, as evidenced by the 1175 percent increase in breached healthcare records so far in 2015.

HIPAA was significantly amended in 2009, in part, to address these security concerns, but many healthcare organizations have not yet implemented the required safeguards. This is where Third Rock’s Worry-Free Compliance solutions can help.

Next week’s article will discuss the financial impact of a cyber-breach for an organization and why it is so important to protect your data now. At the end of this series on cyber security breaches.

For more information on Third Rock’s Worry-Free Compliance, please visit us at: www.thirdrock.com

The post Cyber Breach – No One is Immune appeared first on Third Rock.